ACTION REQUIRED: Changes to pulling Chainguard Images

uwu-tools / gh-jira-issue-sync

A tool for synchronizing issue tracking from GitHub to Jira

https://pkg.go.dev/github.com/uwu-tools/gh-jira-issue-sync

Apache License 2.0

3 stars 5 forks source link

ACTION REQUIRED: Changes to pulling Chainguard Images #152

Closed chainguard-alerter closed 1 year ago

chainguard-alerter commented 1 year ago

Hey there Chainguard here.

We noticed that you are using Chainguard Images, thank you! We wanted to make you aware of an upcoming change that will impact your project.

Starting August 16, 2023 public users will no longer be able to pull images from our registry (cgr.dev/chainguard) by tags other than latest or latest-dev. Please see the announcement for more information.

You are currently using the following.

In https://github.com/uwu-tools/gh-jira-issue-sync/blob/a69ffbf554c08a4bf4ee7d2be6bc6228e4ed8e49/Dockerfile:

cgr.dev/chainguard/go:1.20

Our goal is to prevent your project from experiencing any disruptions. Please see the migration guide for options.

If there's more we can do to help please reply to this issue or email us at support@chainguard.dev.

Thank you!

rappizs commented 1 year ago

@justaugustus what should we do in this case? I wouldn't suggest to use the latest tag, should we look for another base image?

mattmoor commented 1 year ago

I think your switch to the go:1.20 image was probably a mistake. That image is the golang toolchain, which is larger than the alpine base it replaces. Do you actually need go for opening tickets?

I think what you want is: cgr.dev/chainguard/static:latest-glibc

That is intended as a runtime image for go programs and so minimal that there is really little risk in tracking latest. You could pin digests and use tooling to bump it if you’d like tho.

rappizs commented 1 year ago

I think your switch to the go:1.20 image was probably a mistake.

Indeed, it was. Thanks for the info and the suggestion!

amouat commented 1 year ago

I had a look at this and I think a multi-stage build would help you, so I opened PR #154.

Using a digest avoids the issue with tags described in this issue but the multi-stage build is nice for reducing the image size and attack surface. You could also change the go version to latest if you're not worried about breaking when the Go compiler updates.

Finally, an even simpler way to build Go images is with the ko project, which avoids the need to use docker build entirely.

justaugustus commented 1 year ago

Thanks for catching this, Chainguardians! Merged @amouat's multi-stage builds PR and opened a follow-up for ko: https://github.com/uwu-tools/gh-jira-issue-sync/issues/155